Tesla had a rough week, but it could have been a whole lot worse. According to FBI reports, Russian actors spent the summer planning a cyber-attack against Tesla's systems.
Below is a play-by-play of how the plan unfolded, along with 3 lessons we can all learn from Tesla's close brush.
Cybersecurity is not just for the IT department.
When Egor Igorevich Kriuchkov, a 27-year-old Russian national, attempted to penetrate Tesla's systems, he didn't spend years combing through millions of lines of Tesla code or designing a state-of-the-art decryption algorithm. He did something far simpler, much quicker, and vastly more damaging. In fact, Kriuchkov's method didn't require any technical training at all, and could have been executed by just about anyone.
Kriuchkov offered a Tesla engineer $1,000,000 to insert a malware-loaded thumb drive into a computer at the Nevada Gigafactory. That's it. In one fell swoop, the hackers would have had internal access to Tesla's systems, allowing them to exfiltrate corporate and network data. And, if Tesla is like the majority of ransomware victims, this could easily have resulted in millions of dollars in ransom payments.
Insider Threats are among the highest risks facing organizations.
The only reason that the plot was foiled is because the employee that Kriuchkov approached went to the FBI instead of claiming his million-dollar bounty. In other words, the greatest cybersecurity threat facing Tesla was not a technical or infrastructural vulnerability, but rather a purely social variable: could the company trust its own people?
Data shows that Tesla is far from unique in this way. Silent Breach estimates that insider threats are not only more likely than external variants, but also prove far more damaging when successful. The solution? Invest in employee training sessions, run periodic Insider Threat penetration tests, and focus on culture over tools.
Fortunately for Musk, instead of accepting a million-dollar payday, the employee in question chose instead to work with the FBI to obtain more info from Kriuchkov regarding who he was working with and what he was planning. At one point, the informant even wore a wire, helping the authorities gather all the evidence they needed to arrest the would-be hacker as he attempted to flee the country.
Most Penetration Tests are unrealistic.
Far too often, we find that our clients limit the scope of penetration testing to the issues that they think they can successfully pass. While there may be a reason for this decision (e.g. there's no point in taking a test you already know that you'll fail), this approach can also breed a sense of complacency and false security. Instead, at Silent Breach, we encourage our clients to build their scope around the most realistic attack vector, rather than the most simplistic or tidy route.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.
The Tesla case serves as a perfect example. Having an airtight network wouldn't have amounted to much had the company not created an environment in which employees felt comfortable and willing to come forward with potentially damaging information. Time and again, Silent Breach data suggests that the weakest link of nearly every organization is its people. Using simple, yet effective techniques, Silent Breach ethical hackers have found that a layered attack -- combining phishing, vishing, and even physical USB drive drops -- can critically breach 90% of businesses within one week, all without writing a single line of code. The reality is that it's far easier (and cheaper) to fool people than it is to fool a machine. By leaving this out of our own scope, we ensure that hackers will include it in theirs.
With that in mind, we encourage every organization to think like their attackers, consider their weakest links, and turn that output into the scope of their next security tests, resources allocations, and training sessions. And remember: "That's out of scope," said no attacker ever.